More options

Level 46

A critical vulnerability affecting many consumer and corporate products from F-Secure could have been exploited for remote code execution using specially crafted archive files.

A researcher who uses the online moniker “landave” has identified several vulnerabilities related to 7-Zip, an open source file archiver used by many commercial products. Some of the security holes impact 7-Zip and products using it, while others are specific to the third-party implementations of 7-Zip.

Some of the vulnerabilities, disclosed in 2017, impact Bitdefender products. On Tuesday, landave published a blog post describing how one of the 7-Zip bugs he identified last year, namely CVE-2018-10115, can be used to achieve remote code execution on most F-Secure endpoint protection products for Windows.

The details of the vulnerability have been disclosed after F-Secure rolled out a patch via its automatic update mechanisms on May 22. Users don’t need to take any action, unless they explicitly disabled automatic updates.

Exploiting the vulnerability against 7-Zip directly was relatively easy and it only required the targeted user to extract a specially crafted RAR file. However, in the case of F-Secure products, exploitation is more difficult due to the use of the Address Space Layout Randomisation (ASLR) memory protection system.

However, landave has found a way to bypass the protection and achieve code execution via malicious RAR files. The attacker could have sent the malicious file to the victim attached to an email, but this attack scenario required that the recipient manually trigger a scan of the file.

A more efficient method involved getting the victim to visit a malicious web page set up to automatically download the exploit file.

“It turns out that F-Secure’s products intercept HTTP traffic and automatically scan files with up to 5MB in size. This automatic scan includes (by default) the extraction of compressed files. Hence, we can deliver our victim a web page that automatically downloads the exploit file. To do this silently (preventing the user even from noticing that a download is triggered), we can issue an asynchronous HTTP request,” the researcher explained.

In its own advisory, F-Secure said the flaw could have been exploited to take complete control of a system, but there was no evidence of exploitation before the release of the patch.

The security firm also pointed out that some user interaction was required for the exploit to work and noted that archive scanning is only triggered if the “Scan inside compressed files” option is enabled.

F-Secure has paid out a bug bounty, but the amount has not been disclosed. According to its Vulnerability Rewards Program page, the company offers up to €5,000 ($5,800) for vulnerabilities that allow remote code execution on the client software.

Level 3

Level 28

Thanks @silversurfer for the update. Glad to see that F-Secure is on their toe and fixed it and I also saw Pavlov fixed this issue in 7-Zip with updates from version 18.01. The latest version on 7-Zip is now 18.05 ( 2018-05-01 ). This again proves that keeping ones software up to date is just as important to eat your vegetables.

Interesting bypass vector and makes me wonder if it's also possible with other archive software as personal I don't use 7-Zip and could this have been used against the non full version of Safe but I couldn't get in direct contact with F-Secure today as it's too late now but I will try tomorrow.

Level 3

Thanks @silversurfer for the update. Glad to see that F-Secure is on their toe and fixed it and I also saw Pavlov fixed this issue in 7-Zip with updates from version 18.01. The latest version on 7-Zip is now 18.05 ( 2018-05-01 ). This again proves that keeping ones software up to date is just as important to eat your vegetables.

Interesting bypass vector and makes me wonder if it's also possible with other archive software as personal I don't use 7-Zip and could this have been used against the non full version of Safe but I couldn't get in direct contact with F-Secure today as it's too late now but I will try tomorrow.

Level 40

Thanks @silversurferInteresting bypass vector and makes me wonder if it's also possible with other archive software as personal I don't use 7-Zip and could this have been used against the non full version of Safe but I couldn't get in direct contact with F-Secure today as it's too late now but I will try tomorrow.

You don't have to use 7zip to be vulnerable to this. Many companies use the 7zip libraries and hence, are fully vulnerable.

This exploit from the sounds of it, generally seems to mean that simply surfing any website could allow a total system compromise. This isn't my field, but it sounds bad, and I would be horrified to have had something this nefarious sitting around for so long.

Level 28

No need to get horrified IMO and especially if one use several product layers of protection and a tiny bit of common sense and in this specific case it wasn't just a plain website visit that could sink your system.

Updates general covers alot but ofcourse not everything but I'm way too old to get spooked 24/7 and I don't like to click like crazy ( uninstall/install/uninstall/install ) just to find out that Oops that product also have some issues. F-Secure fixed it and I'm satisfied with that. If they didn't I would be annoyed.

Level 28

Level 40

This automatic scan includes (by default) the extraction of compressed files. Hence, we can deliver our victim a web page that automatically downloads the exploit file. To do this silently (preventing the user even from noticing that a download is triggered), we can issue an asynchronous HTTP request,”

Level 40

Interaction was noted in the first part. Later he explained how without interaction it could be used to totally control a system. That is where those async background HTTP which downloads the payload RAR in the background which then triggers the AV to scan it and initiates the exploit and system compromise. All without user interaction.

That's why I find it sort of horrifying and would feel like dirt having had something this ridiculous hanging around on my systems. Extremely discouraging for F-Secure, a company that bills themselves as being more proactive and secure. Ugh.

I agree but I saw something now that raised my eyebrows and I strongly belive it's important to mention.

“It turns out that F-Secure’s products intercept HTTP traffic and automatically scan files with up to 5MB in size. This automatic scan includes (by default) the extraction of compressed files. Hence, we can deliver our victim a web page that automatically downloads the exploit file. To do this silently (preventing the user even from noticing that a download is triggered), we can issue an asynchronous HTTP request,” the researcher explained.

I can confirm that F-Secure SAFE, Antivirus and the Client Security products settings for scan on compressed files is actually OFF ( by default ) not ON and always been. F-Secures statement is cristal clear :

IMO this raise serious questions on the testing methodology created and reported by this " researcher " and also how does a website visit with this exploit automatic infect a machine with F-Secure if the compressed file does Not get extracted and scanned? Correct me if I'm wrong.

We use cookies to improve your browsing experience on our site, show personalized content and targeted ads, analyze site traffic, and understand where our audience is coming from.
By continuing to use this site, you are consenting to our use of cookies.